idnits 2.17.1 draft-ietf-dnsop-rfc2845bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document obsoletes RFC4635, but the abstract doesn't seem to directly say this. It does mention RFC4635 though, so this could be OK. -- The draft header indicates that this document obsoletes RFC2845, but the abstract doesn't seem to directly say this. It does mention RFC2845 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 397 has weird spacing: '... Signed in ...' == Line 430 has weird spacing: '...AC Data octe...' == Line 687 has weird spacing: '...ptional gss...' == Line 688 has weird spacing: '...ndatory hmac...' == Line 689 has weird spacing: '...ptional hma...' == (3 more instances...) == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 17, 2018) is 2082 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4' ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) ** Obsolete normative reference: RFC 4635 (Obsoleted by RFC 8945) Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force F. Dupont, Ed. 3 Internet-Draft S. Morris 4 Obsoletes: 2845, 4635 (if approved) ISC 5 Intended status: Standards Track July 17, 2018 6 Expires: January 18, 2019 8 Secret Key Transaction Authentication for DNS (TSIG) 9 draft-ietf-dnsop-rfc2845bis-00 11 Abstract 13 This protocol allows for transaction level authentication using 14 shared secrets and one way hashing. It can be used to authenticate 15 dynamic updates as coming from an approved client, or to authenticate 16 responses as coming from an approved name server. 18 No provision has been made here for distributing the shared secrets: 19 it is expected that a network administrator will statically configure 20 name servers and clients using some out of band mechanism. 22 This document includes revised original TSIG specifications (RFC2845) 23 and its extension for HMAC-SHA (RFC4635). 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 18, 2019. 42 Copyright Notice 44 Copyright (c) 2018 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 This document may contain material from IETF Documents or IETF 58 Contributions published or made publicly available before November 59 10, 2008. The person(s) controlling the copyright in some of this 60 material may not have granted the IETF Trust the right to allow 61 modifications of such material outside the IETF Standards Process. 62 Without obtaining an adequate license from the person(s) controlling 63 the copyright in such materials, this document may not be modified 64 outside the IETF Standards Process, and derivative works of it may 65 not be created outside the IETF Standards Process, except to format 66 it for publication as an RFC or to translate it into languages other 67 than English. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 72 2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 74 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 75 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 76 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 77 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 78 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 79 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 80 5.1. Effects of adding TSIG to outgoing message . . . . . . . 7 81 5.2. TSIG processing on incoming messages . . . . . . . . . . 8 82 5.3. Time values used in TSIG calculations . . . . . . . . . . 8 83 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 8 84 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 85 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 86 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 9 87 5.5. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 10 88 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 89 6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10 90 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 91 6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 10 92 6.4. TSIG on zone tranfer over a TCP connection . . . . . . . 11 93 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 11 94 6.5.1. Key check and error handling . . . . . . . . . . . . 11 95 6.5.2. Specifying Truncation . . . . . . . . . . . . . . . . 12 96 6.5.3. MAC check and error handling . . . . . . . . . . . . 12 97 6.5.4. Time check and error handling . . . . . . . . . . . . 13 98 6.5.5. Truncation check and error handling . . . . . . . . . 13 99 6.6. Client processing of answer . . . . . . . . . . . . . . . 13 100 6.6.1. Key error handling . . . . . . . . . . . . . . . . . 13 101 6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14 102 6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14 103 6.6.4. Truncation error handling . . . . . . . . . . . . . . 14 104 6.7. Special considerations for forwarding servers . . . . . . 14 105 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 14 106 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 15 107 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 16 108 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 109 11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 110 11.1. Issue fixed in this document . . . . . . . . . . . . . . 18 111 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 18 112 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 113 12.1. Normative References . . . . . . . . . . . . . . . . . . 19 114 12.2. Informative References . . . . . . . . . . . . . . . . . 20 115 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 21 116 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 22 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 119 1. Introduction 121 In 2017, security problems in two nameservers strictly following 122 [RFC2845] and [RFC4635] (i.e., TSIG and its HMAC-SHA extension) 123 specifications were discovered. The implementations were fixed but, 124 to avoid similar problems in the future, the two documents were 125 updated and merged, producing these revised specifications for TSIG. 127 The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated 128 hierarchical distributed database system that provides information 129 fundamental to Internet operations, such as name <=> address 130 translation and mail handling information. 132 This document specifies use of a message authentication code (MAC), 133 either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an 134 efficient means of point-to-point authentication and integrity 135 checking for transactions. 137 The second area where the secret key based MACs specified in this 138 document can be used is to authenticate DNS update requests as well 139 as transaction responses, providing a lightweight alternative to the 140 protocol described by [RFC3007]. 142 A further use of this mechanism is to protect zone transfers. In 143 this case the data covered would be the whole zone transfer including 144 any glue records sent. The protocol described by DNSSEC does not 145 protect glue records and unsigned records unless SIG(0) (transaction 146 signature) is used. 148 The authentication mechanism proposed in this document uses shared 149 secret keys to establish a trust relationship between two entities. 150 Such keys must be protected in a fashion similar to private keys, 151 lest a third party masquerade as one of the intended parties (by 152 forging the MAC). There is an urgent need to provide simple and 153 efficient authentication between clients and local servers and this 154 proposal addresses that need. The proposal is unsuitable for general 155 server to server authentication for servers which speak with many 156 other servers, since key management would become unwieldy with the 157 number of shared keys going up quadratically. But it is suitable for 158 many resolvers on hosts that only talk to a few recursive servers. 160 A server acting as an indirect caching resolver -- a "forwarder" in 161 common usage -- might use transaction-based authentication when 162 communicating with its small number of preconfigured "upstream" 163 servers. Other uses of DNS secret key authentication and possible 164 systems for automatic secret key distribution may be proposed in 165 separate future documents. 167 Note that use of TSIG presumes prior agreement between the two 168 parties involved (e.g., resolver and server) as to the algorithm and 169 key to be used. 171 Since the publication of first version of this document ([RFC2845]) a 172 mechanism based on asymmetric signatures using the SIG RR was 173 specified (SIG(0) [RFC2931]) whereas this document uses symmetric 174 authentication codes calculated by HMAC [RFC2104] using strong hash 175 functions. 177 2. Key words 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 181 "OPTIONAL" in this document are to be interpreted as described in BCP 182 14 [RFC2119] [RFC8174] when, and only when, they appear in all 183 capitals, as shown here. 185 3. New Assigned Numbers 187 RRTYPE = TSIG (250) 188 ERROR = 0..15 (a DNS RCODE) 189 ERROR = 16 (BADSIG) 190 ERROR = 17 (BADKEY) 191 ERROR = 18 (BADTIME) 192 ERROR = 22 (BADTRUNC) 194 4. TSIG RR Format 196 4.1. TSIG RR Type 198 To provide secret key authentication, we use a new RR type whose 199 mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and 200 MUST NOT be cached. TSIG RRs are used for authentication between DNS 201 entities that have established a shared secret key. TSIG RRs are 202 dynamically computed to cover a particular DNS transaction and are 203 not DNS RRs in the usual sense. 205 4.2. TSIG Calculation 207 As the TSIG RRs are related to one DNS request/response, there is no 208 value in storing or retransmitting them, thus the TSIG RR is 209 discarded once it has been used to authenticate a DNS message. 210 Recommendations concerning the message digest agorithm can be found 211 in Section 7. All multi-octet integers in the TSIG record are sent 212 in network byte order (see [RFC1035] 2.3.2). 214 4.3. TSIG Record Format 216 NAME The name of the key used in domain name syntax. The name 217 should reflect the names of the hosts and uniquely identify the 218 key among a set of keys these two hosts may share at any given 219 time. If hosts A.site.example and B.example.net share a key, 220 possibilities for the key name include .A.site.example, 221 .B.example.net, and .A.site.example.B.example.net. It 222 should be possible for more than one key to be in simultaneous 223 use among a set of interacting hosts. The name only needs to 224 be meaningful to the communicating hosts but a meaningful 225 mnemonic name as above is strongly recommended. 227 The name may be used as a local index to the key involved and 228 it is recommended that it be globally unique. Where a key is 229 just shared between two hosts, its name actually need only be 230 meaningful to them but it is recommended that the key name be 231 mnemonic and incorporate the resolver and server host names in 232 that order. 234 TYPE TSIG (250: Transaction SIGnature) 236 CLASS ANY 238 TTL 0 240 RdLen (variable) 241 RDATA The RDATA for a TSIG RR consists of an octet stream Algorithm 242 Name field, a uint48_t Time Signed field, a uint16_t Fudge 243 field, a uint16_t MAC Size field, a octet stream MAC field, a 244 uint16_t Original ID, a uint16_t Error field, a uint16_t Other 245 Len field and an octet stream of Other Data. 247 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 248 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 / Algorithm Name / 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | | 253 | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | | Fudge | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | MAC Size | / 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / 258 / / 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | Original ID | Error | 261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 262 | Other Len | / 263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / 264 / / 265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 The contents of the RDATA fields are: 269 * Algorithm Name - identifies the TSIG algorithm name in the 270 domain name syntax. 272 * Time Signed - the The Time Signed field specifies seconds 273 since 00:00 on 1970-01-01 UTC. 275 * Fudge - specifies allowed time difference in seconds 276 permitted in the Time Signed field. 278 * MAC Size - the MAC Size field specifies the length of MAC 279 field in octets. Truncation is indicated by a MAC size less 280 than the HMAC size. 282 * MAC - the contents of the MAC field are defined by the TSIG 283 algorithm used. 285 * Error - contains the expanded RCODE covering TSIG 286 processing. 288 * Other Len - specifies the length of the "Other Data" field 289 in octets. 291 * Other Data - this field will be empty unless the content of 292 the Error field is BADTIME, in which case it will contain 293 the server's current time (see Section 6.5.4). 295 4.4. Example 297 NAME HOST.EXAMPLE. 299 TYPE TSIG 301 CLASS ANY 303 TTL 0 305 RdLen As appropriate 307 RDATA 309 Field Name Contents 310 -------------- ------------------- 311 Algorithm Name SAMPLE-ALG.EXAMPLE. 312 Time Signed 853804800 313 Fudge 300 314 MAC Size As appropriate 315 MAC As appropriate 316 Original ID As appropriate 317 Error 0 (NOERROR) 318 Other Len 0 319 Other Data Empty 321 5. Protocol Operation 323 5.1. Effects of adding TSIG to outgoing message 325 Once the outgoing message has been constructed, the HMAC computation 326 can be performed. The resulting MAC will then be stored in a TSIG 327 which is appended to the additional data section (the ARCOUNT is 328 incremented to reflect this). If the TSIG record cannot be added 329 without causing the message to be truncated, the server MUST alter 330 the response so that a TSIG can be included. This response consists 331 of only the question and a TSIG record, and has the TC bit set and 332 RCODE 0 (NOERROR). The client SHOULD at this point retry the request 333 using TCP (per [RFC1035] 4.2.2). 335 5.2. TSIG processing on incoming messages 337 If an incoming message contains a TSIG record, it MUST be the last 338 record in the additional section. Multiple TSIG records are not 339 allowed. If a TSIG record is present in any other position, the DNS 340 message is dropped and a response with RCODE 1 (FORMERR) MUST be 341 returned. Upon receipt of a message with a correctly placed TSIG RR, 342 the TSIG RR is copied to a safe location, removed from the DNS 343 Message, and decremented out of the DNS message header's ARCOUNT. At 344 this point the HMAC computation is performed: until this operation 345 concludes that the signature is valid, the signature MUST be 346 considered to be invalid. 348 If the algorithm name or key name is unknown to the recipient, or if 349 the MACs do not match, the whole DNS message MUST be discarded. If 350 the message is a query, a response with RCODE 9 (NOTAUTH) MUST be 351 sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR 352 16 (BADSIG). If no key is available to sign this message it MUST be 353 sent unsigned (MAC size == 0 and empty MAC). A message to the system 354 operations log SHOULD be generated, to warn the operations staff of a 355 possible security incident in progress. Care should be taken to 356 ensure that logging of this type of event does not open the system to 357 a denial of service attack. 359 5.3. Time values used in TSIG calculations 361 The data digested includes the two timer values in the TSIG header in 362 order to defend against replay attacks. If this were not done, an 363 attacker could replay old messages but update the "Time Signed" and 364 "Fudge" fields to make the message look new. This data is named 365 "TSIG Timers", and for the purpose of MAC calculation they are 366 invoked in their "on the wire" format, in the following order: first 367 Time Signed, then Fudge. For example: 369 Field Name Value Wire Format Meaning 370 ----------- --------- ----------------- ------------------------ 371 Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 372 Fudge 300 01 2C 5 minutes 374 5.4. TSIG Variables and Coverage 376 When generating or verifying the contents of a TSIG record, the 377 following data are passed as input to MAC computation, in network 378 byte order or wire format, as appropriate: 380 5.4.1. DNS Message 382 A whole and complete DNS message in wire format, before the TSIG RR 383 has been added to the additional data section and before the DNS 384 Message Header's ARCOUNT field has been incremented to contain the 385 TSIG RR. If the message ID differs from the original message ID, the 386 original message ID is substituted for the message ID. This could 387 happen when forwarding a dynamic update request, for example. 389 5.4.2. TSIG Variables 391 Source Field Name Notes 392 ---------- -------------- ----------------------------------------- 393 TSIG RR NAME Key name, in canonical wire format 394 TSIG RR CLASS (Always ANY in the current specification) 395 TSIG RR TTL (Always 0 in the current specification) 396 TSIG RDATA Algorithm Name in canonical wire format 397 TSIG RDATA Time Signed in network byte order 398 TSIG RDATA Fudge in network byte order 399 TSIG RDATA Error in network byte order 400 TSIG RDATA Other Len in network byte order 401 TSIG RDATA Other Data exactly as transmitted 403 The RR RDLEN and RDATA MAC Length are not included in the input to 404 MAC computation since they are not guaranteed to be knowable before 405 the MAC is generated. 407 The Original ID field is not included in this section, as it has 408 already been substituted for the message ID in the DNS header and 409 hashed. 411 For each label type, there must be a defined "Canonical wire format" 412 that specifies how to express a label in an unambiguous way. For 413 label type 00, this is defined in [RFC4034], for label type 01, this 414 is defined in [RFC6891]. The use of label types other than 00 and 01 415 is not defined for this specification. 417 5.4.3. Request MAC 419 When generating the MAC to be included in a response, the validated 420 request MAC MUST be included in the MAC computation. If the request 421 MAC failed to validate, an unsigned error message MUST be returned 422 instead. (Section 6.3). 424 The request's MAC is digested in wire format, including the following 425 fields: 427 Field Type Description 428 ---------- ------------ ---------------------- 429 MAC Length uint16_t in network byte order 430 MAC Data octet stream exactly as transmitted 432 5.5. Padding 434 Digested components (i.e., inputs to HMAC computation) are fed into 435 the hashing function as a continuous octet stream with no interfield 436 padding. 438 6. Protocol Details 440 6.1. TSIG generation on requests 442 Client performs the HMAC computation and appends a TSIG record to the 443 additional data section and transmits the request to the server. The 444 client MUST store the MAC from the request while awaiting an answer. 445 The digest components for a request are: 447 DNS Message (request) 448 TSIG Variables (request) 450 Note that some older name servers will not accept requests with a 451 nonempty additional data section. Clients SHOULD only attempt signed 452 transactions with servers who are known to support TSIG and share 453 some secret key with the client -- so, this is not a problem in 454 practice. 456 6.2. TSIG on Answers 458 When a server has generated a response to a signed request, it signs 459 the response using the same algorithm and key. The server MUST NOT 460 generate a signed response to an unsigned request or a request that 461 fails validation. The digest components are: 463 Request MAC 464 DNS Message (response) 465 TSIG Variables (response) 467 6.3. TSIG on TSIG Error returns 469 When a server detects an error relating to the key or MAC, the server 470 SHOULD send back an unsigned error message (MAC size == 0 and empty 471 MAC). If an error is detected relating to the TSIG validity period 472 or the MAC is too short for the local policy, the server SHOULD send 473 back a signed error message. The digest components are: 475 Request MAC (if the request MAC validated) 476 DNS Message (response) 477 TSIG Variables (response) 479 The reason that the request is not included in this MAC in some cases 480 is to make it possible for the client to verify the error. If the 481 error is not a TSIG error the response MUST be generated as specified 482 in Section 6.2. 484 6.4. TSIG on zone tranfer over a TCP connection 486 A zone transfer over a DNS TCP session can include multiple DNS 487 messages. Using TSIG on such a connection can protect the connection 488 from hijacking and provide data integrity. The TSIG MUST be included 489 on the first and last DNS messages, and for new implementations 490 SHOULD be placed on all intermediary messages. For backward 491 compatibility the client which receives DNS messages and verifies 492 TSIG MUST accept up to 99 intermediary messages without a TSIG. The 493 first envelope is processed as a standard answer, and subsequent 494 messages have the following digest components: 496 Prior MAC (running) 497 DNS Messages (any unsigned messages since the last TSIG) 498 TSIG Timers (current message) 500 This allows the client to rapidly detect when the session has been 501 altered; at which point it can close the connection and retry. If a 502 client TSIG verification fails, the client MUST close the connection. 503 If the client does not receive TSIG records frequently enough (as 504 specified above) it SHOULD assume the connection has been hijacked 505 and it SHOULD close the connection. The client SHOULD treat this the 506 same way as they would any other interrupted transfer (although the 507 exact behavior is not specified). 509 6.5. Server TSIG checks 511 Upon receipt of a message, server will check if there is a TSIG RR. 512 If one exists, the server is REQUIRED to return a TSIG RR in the 513 response. The server MUST perform the following checks in the 514 following order, check Key, check MAC, check Time values, check 515 Truncation policy. 517 6.5.1. Key check and error handling 519 If a non-forwarding server does not recognize the key used by the 520 client, the server MUST generate an error response with RCODE 9 521 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned 522 as specified in Section 6.3. The server SHOULD log the error. 524 6.5.2. Specifying Truncation 526 When space is at a premium and the strength of the full length of an 527 HMAC is not needed, it is reasonable to truncate the HMAC and use the 528 truncated value for authentication. HMAC SHA-1 truncated to 96 bits 529 is an option available in several IETF protocols, including IPsec and 530 TLS. 532 Processing of a truncated MAC follows these rules 534 1. If "MAC size" field is greater than HMAC output length: 536 This case MUST NOT be generated and, if received, MUST cause the 537 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 539 2. If "MAC size" field equals HMAC output length: 541 The entire output HMAC output is present and used. 543 3. "MAC size" field is less than HMAC output length but greater than 544 that specified in case 4, below: 546 This is sent when the signer has truncated the HMAC output to an 547 allowable length, as described in [RFC2104], taking initial 548 octets and discarding trailing octets. TSIG truncation can only 549 be to an integral number of octets. On receipt of a DNS message 550 with truncation thus indicated, the locally calculated MAC is 551 similarly truncated and only the truncated values are compared 552 for authentication. The request MAC used when calculating the 553 TSIG MAC for a reply is the truncated request MAC. 555 4. "MAC size" field is less than the larger of 10 (octets) and half 556 the length of the hash function in use: 558 With the exception of certain TSIG error messages described in 559 Section 6.3, where it is permitted that the MAC size be zero, 560 this case MUST NOT be generated and, if received, MUST cause the 561 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 563 6.5.3. MAC check and error handling 565 If a TSIG fails to verify, the server MUST generate an error response 566 as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 567 (BADSIG). This response MUST be unsigned as specified in 568 Section 6.3. The server SHOULD log the error. 570 6.5.4. Time check and error handling 572 If the server time is outside the time interval specified by the 573 request (which is: Time Signed, plus/minus Fudge), the server MUST 574 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 575 (BADTIME). The server SHOULD also cache the most recent time signed 576 value in a message generated by a key, and SHOULD return BADTIME if a 577 message received later has an earlier time signed value. A response 578 indicating a BADTIME error MUST be signed by the same key as the 579 request. It MUST include the client's current time in the time 580 signed field, the server's current time (a uint48_t) in the other 581 data field, and 6 in the other data length field. This is done so 582 that the client can verify a message with a BADTIME error without the 583 verification failing due to another BADTIME error. The data signed 584 is specified in Section 6.3. The server SHOULD log the error. 586 6.5.5. Truncation check and error handling 588 If a TSIG is received with truncation that is permitted under 589 Section 6.5.2 above but the MAC is too short for the local policy in 590 force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be 591 returned. The server SHOULD log the error. 593 6.6. Client processing of answer 595 When a client receives a response from a server and expects to see a 596 TSIG, it first checks if the TSIG RR is present in the response. 597 Otherwise, the response is treated as having a format error and 598 discarded. The client then extracts the TSIG, adjusts the ARCOUNT, 599 and calculates the MAC in the same way as the server, applying the 600 same rules to decide if truncated MAC is valid. If the TSIG does not 601 validate, that response MUST be discarded, unless the RCODE is 9 602 (NOTAUTH), in which case the client SHOULD attempt to verify the 603 response as if it were a TSIG Error response, as specified in 604 Section 6.3. A message containing an unsigned TSIG record or a TSIG 605 record which fails verification SHOULD NOT be considered an 606 acceptable response; the client SHOULD log an error and continue to 607 wait for a signed response until the request times out. 609 6.6.1. Key error handling 611 If an RCODE on a response is 9 (NOTAUTH), and the response TSIG 612 validates, and the TSIG key is different from the key used on the 613 request, then this is a Key error. The client MAY retry the request 614 using the key specified by the server. This should never occur, as a 615 server MUST NOT sign a response with a different key than signed the 616 request. 618 6.6.2. MAC error handling 620 If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), 621 this is a MAC error, and client MAY retry the request with a new 622 request ID but it would be better to try a different shared key if 623 one is available. Clients SHOULD keep track of how many MAC errors 624 are associated with each key. Clients SHOULD log this event. 626 6.6.3. Time error handling 628 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 629 (BADTIME), or the current time does not fall in the range specified 630 in the TSIG record, then this is a Time error. This is an indication 631 that the client and server clocks are not synchronized. In this case 632 the client SHOULD log the event. DNS resolvers MUST NOT adjust any 633 clocks in the client based on BADTIME errors, but the server's time 634 in the other data field SHOULD be logged. 636 6.6.4. Truncation error handling 638 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 639 (BADTRUNC) the this is a Truncation error. The client MAY retry with 640 lesser truncation up to the full HMAC output (no truncation), using 641 the truncation used in the response as a hint for what the server 642 policy allowed (Section 8). Clients SHOULD log this event. 644 6.7. Special considerations for forwarding servers 646 A server acting as a forwarding server of a DNS message SHOULD check 647 for the existence of a TSIG record. If the name on the TSIG is not 648 of a secret that the server shares with the originator the server 649 MUST forward the message unchanged including the TSIG. If the name 650 of the TSIG is of a key this server shares with the originator, it 651 MUST process the TSIG. If the TSIG passes all checks, the forwarding 652 server MUST, if possible, include a TSIG of his own, to the 653 destination or the next forwarder. If no transaction security is 654 available to the destination and the response has the AD flag (see 655 [RFC4035]), the forwarder MUST unset the AD flag before adding the 656 TSIG to the answer. 658 7. Algorithms and Identifiers 660 The only message digest algorithm specified in the first version of 661 these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], 662 [RFC2104]). The "HMAC-MD5" algorithm is mandatory to implement for 663 interoperability. 665 The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as 666 compared to the 128 bits for MD5), and additional hash algorithms in 667 the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, 668 and 512 bits may be preferred in some cases. This is because 669 increasingly successful cryptanalytic attacks are being made on the 670 shorter hashes. 672 Use of TSIG between two DNS agents is by mutual agreement. That 673 agreement can include the support of additional algorithms and 674 criteria as to which algorithms and truncations are acceptable, 675 subject to the restriction and guidelines in Section 6.5.2 above. 676 Key agreement can be by the TKEY mechanism [RFC2930] or some other 677 mutually agreeable method. 679 The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are 680 included in the table below for convenience. Implementations that 681 support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY 682 implement gss-tsig and the other algorithms listed below. 684 Requirement Name 685 ----------- ------------------------ 686 Mandatory HMAC-MD5.SIG-ALG.REG.INT 687 Optional gss-tsig 688 Mandatory hmac-sha1 689 Optional hmac-sha224 690 Mandatory hmac-sha256 691 Optional hmac-sha384 692 Optional hmac-sha512 694 SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. 696 8. TSIG Truncation Policy 698 Use of TSIG is by mutual agreement between two DNS agents, e.g., a 699 resolver and server. Implicit in such an "agreement" are criteria as 700 to acceptable keys and algorithms and, with the extensions in this 701 document, truncations. Note that it is common for implementations to 702 bind the TSIG secret key or keys that may be in place at two parties 703 to particular algorithms. Thus, such implementations only permit the 704 use of an algorithm if there is an associated key in place. Receipt 705 of an unknown, unimplemented, or disabled algorithm typically results 706 in a BADKEY error. 708 Local policies MAY require the rejection of TSIGs, even though they 709 use an algorithm for which implementation is mandatory. 711 When a local policy permits acceptance of a TSIG with a particular 712 algorithm and a particular non-zero amount of truncation, it SHOULD 713 also permit the use of that algorithm with lesser truncation (a 714 longer MAC) up to the full HMAC output. 716 Regardless of a lower acceptable truncated MAC length specified by 717 local policy, a reply SHOULD be sent with a MAC at least as long as 718 that in the corresponding request. Note if the request specified a 719 MAC length longer than the HMAC output it will be rejected by 720 processing rules Section 6.5.2 case 1. 722 Implementations permitting multiple acceptable algorithms and/or 723 truncations SHOULD permit this list to be ordered by presumed 724 strength and SHOULD allow different truncations for the same 725 algorithm to be treated as separate entities in this list. When so 726 implemented, policies SHOULD accept a presumed stronger algorithm and 727 truncation than the minimum strength required by the policy. 729 9. Shared Secrets 731 Secret keys are very sensitive information and all available steps 732 should be taken to protect them on every host on which they are 733 stored. Generally such hosts need to be physically protected. If 734 they are multi-user machines, great care should be taken that 735 unprivileged users have no access to keying material. Resolvers 736 often run unprivileged, which means all users of a host would be able 737 to see whatever configuration data is used by the resolver. 739 A name server usually runs privileged, which means its configuration 740 data need not be visible to all users of the host. For this reason, 741 a host that implements transaction-based authentication should 742 probably be configured with a "stub resolver" and a local caching and 743 forwarding name server. This presents a special problem for 744 [RFC2136] which otherwise depends on clients to communicate only with 745 a zone's authoritative name servers. 747 Use of strong random shared secrets is essential to the security of 748 TSIG. See [RFC4086] for a discussion of this issue. The secret 749 SHOULD be at least as long as the HMAC output, i.e., 16 bytes for 750 HMAC-MD5 or 20 bytes for HMAC-SHA1. 752 10. IANA Considerations 754 IANA maintains a registry of algorithm names to be used as "Algorithm 755 Names" as defined in Section 4.3. Algorithm names are text strings 756 encoded using the syntax of a domain name. There is no structure 757 required other than names for different algorithms must be unique 758 when compared as DNS names, i.e., comparison is case insensitive. 759 Previous specifications [RFC2845] and [RFC4635] defined values for 760 HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an 761 identifier for TSIG authentication where the cryptographic operations 762 are delegated to the Generic Security Service (GSS) [RFC3645]. 764 New algorithms are assigned using the IETF Consensus policy defined 765 in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like 766 a fully-qualified domain name for historical reasons; other algorithm 767 names are simple (i.e., single-component) names. 769 IANA maintains a registry of "TSIG Error values" to be used for 770 "Error" values as defined in Section 4.3. Initial values should be 771 those defined in Section 3. New TSIG error codes for the TSIG error 772 field are assigned using the IETF Consensus policy defined in 773 [RFC8126]. 775 11. Security Considerations 777 The approach specified here is computationally much less expensive 778 than the signatures specified in DNSSEC. As long as the shared 779 secret key is not compromised, strong authentication is provided for 780 the last hop from a local name server to the user resolver. 782 Secret keys should be changed periodically. If the client host has 783 been compromised, the server should suspend the use of all secrets 784 known to that client. If possible, secrets should be stored in 785 encrypted form. Secrets should never be transmitted in the clear 786 over any network. This document does not address the issue on how to 787 distribute secrets. Secrets should never be shared by more than two 788 entities. 790 This mechanism does not authenticate source data, only its 791 transmission between two parties who share some secret. The original 792 source data can come from a compromised zone master or can be 793 corrupted during transit from an authentic zone master to some 794 "caching forwarder." However, if the server is faithfully performing 795 the full DNSSEC security checks, then only security checked data will 796 be available to the client. 798 A fudge value that is too large may leave the server open to replay 799 attacks. A fudge value that is too small may cause failures if 800 machines are not time synchronized or there are unexpected network 801 delays. The recommended value in most situation is 300 seconds. 803 For all of the message authentication code algorithms listed in this 804 document, those producing longer values are believed to be stronger; 805 however, while there have been some arguments that mild truncation 806 can strengthen a MAC by reducing the information available to an 807 attacker, excessive truncation clearly weakens authentication by 808 reducing the number of bits an attacker has to try to break the 809 authentication by brute force [RFC2104]. 811 Significant progress has been made recently in cryptanalysis of hash 812 functions of the types used here, all of which ultimately derive from 813 the design of MD4. While the results so far should not effect HMAC, 814 the stronger SHA-1 and SHA-256 algorithms are being made mandatory 815 due to caution. Note that today SHA-3 [FIPS202] is available as an 816 alternative to SHA-2 using a very different design. 818 See also the Security Considerations section of [RFC2104] from which 819 the limits on truncation in this RFC were taken. 821 11.1. Issue fixed in this document 823 When signing a DNS reply message using TSIG, its MAC computation uses 824 the request message's MAC as an input to cryptographically relate the 825 reply to the request. Unfortunately, the original TSIG specification 826 [RFC2845] failed to clearly require the request MAC to be 827 successfully validated before using it. 829 This document proposes the principle that the MAC must be considered 830 to be invalid until it was validated. This leads to the requirement 831 that only a validated request MAC is included in a signed answer. Or 832 with other words when the request MAC was not validated the answer 833 must be unsigned with a BADKEY or BADSIG TSIG error. 835 11.2. Why not DNSSEC? 837 This section from the original document [RFC2845] analyzes DNSSEC in 838 order to justify the introduction of TSIG. 840 DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and 841 [RFC4035]) to provide for data origin authentication, and public key 842 distribution, all based on public key cryptography and public key 843 based digital signatures. To be practical, this form of security 844 generally requires extensive local caching of keys and tracing of 845 authentication through multiple keys and signatures to a pre-trusted 846 locally configured key. 848 One difficulty with the DNSSEC scheme is that common DNS 849 implementations include simple "stub" resolvers which do not have 850 caches. Such resolvers typically rely on a caching DNS server on 851 another host. It is impractical for these stub resolvers to perform 852 general DNSSEC authentication and they would naturally depend on 853 their caching DNS server to perform such services for them. To do so 854 securely requires secure communication of queries and responses. 855 DNSSEC provides public key transaction signatures to support this, 856 but such signatures are very expensive computationally to generate. 857 In general, these require the same complex public key logic that is 858 impractical for stubs. 860 A second area where use of straight DNSSEC public key based 861 mechanisms may be impractical is authenticating dynamic update 862 [RFC2136] requests. DNSSEC provides for request signatures but with 863 DNSSEC they, like transaction signatures, require computationally 864 expensive public key cryptography and complex authentication logic. 865 Secure Domain Name System Dynamic Update ([RFC3007]) describes how 866 different keys are used in dynamically updated zones. 868 12. References 870 12.1. Normative References 872 [FIPS180-4] 873 National Institute of Standards and Technology, "Secure 874 Hash Standard (SHS)", FIPS PUB 180-4, August 2015. 876 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 877 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 878 . 880 [RFC1035] Mockapetris, P., "Domain names - implementation and 881 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 882 November 1987, . 884 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 885 Requirement Levels", BCP 14, RFC 2119, 886 DOI 10.17487/RFC2119, March 1997, 887 . 889 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. 890 Wellington, "Secret Key Transaction Authentication for DNS 891 (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, 892 . 894 [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication 895 Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", 896 RFC 4635, DOI 10.17487/RFC4635, August 2006, 897 . 899 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 900 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 901 May 2017, . 903 12.2. Informative References 905 [FIPS202] National Institute of Standards and Technology, "SHA-3 906 Standard", FIPS PUB 202, August 2015. 908 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 909 DOI 10.17487/RFC1321, April 1992, 910 . 912 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 913 Hashing for Message Authentication", RFC 2104, 914 DOI 10.17487/RFC2104, February 1997, 915 . 917 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 918 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 919 RFC 2136, DOI 10.17487/RFC2136, April 1997, 920 . 922 [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY 923 RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000, 924 . 926 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 927 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 928 2000, . 930 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 931 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 932 . 934 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 935 (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, 936 . 938 [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., 939 and R. Hall, "Generic Security Service Algorithm for 940 Secret Key Transaction Authentication for DNS (GSS-TSIG)", 941 RFC 3645, DOI 10.17487/RFC3645, October 2003, 942 . 944 [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", 945 RFC 3874, DOI 10.17487/RFC3874, September 2004, 946 . 948 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 949 Rose, "DNS Security Introduction and Requirements", 950 RFC 4033, DOI 10.17487/RFC4033, March 2005, 951 . 953 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 954 Rose, "Resource Records for the DNS Security Extensions", 955 RFC 4034, DOI 10.17487/RFC4034, March 2005, 956 . 958 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 959 Rose, "Protocol Modifications for the DNS Security 960 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 961 . 963 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 964 "Randomness Requirements for Security", BCP 106, RFC 4086, 965 DOI 10.17487/RFC4086, June 2005, 966 . 968 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 969 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 970 DOI 10.17487/RFC6234, May 2011, 971 . 973 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 974 for DNS (EDNS(0))", STD 75, RFC 6891, 975 DOI 10.17487/RFC6891, April 2013, 976 . 978 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 979 Writing an IANA Considerations Section in RFCs", BCP 26, 980 RFC 8126, DOI 10.17487/RFC8126, June 2017, 981 . 983 Appendix A. Acknowledgments 985 This document just consolidates and updates the earlier documents by 986 the authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. 987 Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake 988 3rd). It would not be possible without their original work. 990 The security problem addressed by this document was reported by 991 Clement Berthaux from Synacktiv. 993 Note for the RFC Editor (to be removed before publication): the first 994 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 995 I do not know if xml2rfc supports non ASCII characters so I prefer to 996 not experiment with it. BTW I am French too too so I can help if you 997 have questions like correct spelling... 999 Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund 1000 Sivaraman and Ralph Dolmans participated in the discussions that 1001 prompted this document. 1003 Appendix B. Change History 1005 draft-dupont-dnsop-rfc2845bis-00 1007 [RFC4635] was merged. 1009 Authors of original documents were moved to Acknowledgments 1010 (Appendix A). 1012 Section 2 was updated to [RFC8174] style. 1014 Spit references into normative and informative references and 1015 updated them. 1017 Added a text explaining why this document was written in the 1018 Abstract and at the beginning of the introduction. 1020 Clarified the layout of TSIG RDATA. 1022 Moved the text about using DNSSEC from the Introduction to the end 1023 of Security Considerations. 1025 Added the security clarifications: 1027 1. Emphasized that MAC is invalid until it is successfully 1028 validated. 1030 2. Added requirement that a request MAC that has not been 1031 successfully validated MUST NOT be included into a response. 1033 3. Added requirement that a request that has not been validated 1034 to the MUST NOT generate a signed response. 1036 4. Added note about MAC too short for the local policy to the 1037 Section 6.3. 1039 5. Changed the order of server checks and swapped corresponding 1040 sections. 1042 6. Removed the truncation size limit "also case" as it does not 1043 apply and added confusion. 1045 7. Relocated the error provision for TSIG truncation to the new 1046 Section 6.5.5. Moved from RCODE 22 to RCODE 9 and TSIG ERROR 1047 22, i.e., aligned with other TSIG error cases. 1049 8. Added Section 6.6.4 about truncation error handling by 1050 clients. 1052 9. Removed the limit to HMAC output in replies as a request 1053 which specified a MAC length longer than the HMAC output is 1054 invalid according the the first processing rule in 1055 Section 6.5.2. 1057 10. Promoted the requirement that a secret length should be at 1058 least as long as the HMAC output to a SHOULD [RFC2119] key 1059 word. 1061 11. Added a short text to explain the security issue. 1063 draft-dupont-dnsop-rfc2845bis-01 1065 Improved wording (post-publication comments). 1067 Specialized and renamed the "TSIG on TCP connection" (Section 6.4) 1068 to "TSIG on zone tranfer over a TCP connection". Added a SHOULD 1069 for a TSIG in each message (was envelope) for new implementations. 1071 draft-ietf-dnsop-rfc2845bis-00 1073 Adopted by the IETF DNSOP working group: title updated and version 1074 counter reseted to 00. 1076 Authors' Addresses 1078 Francis Dupont (editor) 1079 Internet Software Consortium 1080 950 Charter Street 1081 Redwood City, CA 94063 1082 United States 1084 Email: Francis.Dupont@fdupont.fr 1085 Stephen Morris 1086 Internet Software Consortium 1087 950 Charter Street 1088 Redwood City, CA 94063 1089 United States 1091 Email: stephen@isc.org 1092 URI: http://www.isc.org